Handling Spam from Large Commercial Entities? 268
"It was at this point that principle kicked in. It's MY e-mail account. I wanted Amazon to stop mailing me information about whatever special they were advertising. Seeing no easy way to contact them electronically, I picked up the phone and gave them a call. Three operators and getting hung up on once later, I was told that Amazon.com would not stop sending me their spam, because I was not the Amazon.com account holder.
This brings up a new twist on spam, privacy, and recourse to be taken. It is in fact my e-mail account, paid for by me, and Amazon tells me I have no control over what I may receive via it. I could in fact notify my ISP to block incoming mail from Amazon, but I know people who work there and may actually wish to receive mail from them. There doesn't seem to be any 'complaints@amazon.com' alias available on their site. What action can be taken in this instance?
As it turned out, I forked over the phone to my wife, who in the process of 'modifying' her account information, wound up hunting through her wallet to find those last five digits on her credit card, which sounds more dubious than entering them into a text field on a website.
There are many other variables which might have factored into this: What if my wife had died since last Christmas? What if she had left me in that time? (more probable ;-) Perhaps she had canceled the credit card in question.
In any case, I find it completely unacceptable that I as owner of an e-mail account could not easily get an e-commerce provider to stop sending me e-mail. What courses of action are available for this problem? Are there any precedents for this?"
And the never-ending problem of spam continues... You would think that after all of the debates, the new laws, and filters that spam would be less of a problem, yet now we have legitimate commercial entities able to fill your electronic in-boxes and in certain situations like the one above, you may not be able to do anything about it. Do any of you out there have ideas on any solutions?
ActiveX and kak worm (Score:2)
It's either your fault or the fault of your OS vendor.
Some ActiveX controls are marked as "safe for scripting". IE will allow javascript to use these controls. And at least two controls [microsoft.com] which were marked as safe should not have been [sans.org]. That's how the kak worm [microsoft.com] works.
innocent postmaster? (Score:2)
The postmaster may be innocent of spamming per se, but they are guilty of providing an open relay for spammers.
Re:i find spamcop.net to work fairly well (Score:2)
It didn't do anything but it just felt good >:)
It can get ugly when that doesn't work (Score:2)
I used to support this company, Pixels, that makes a modelling/rendering package that's pretty high end in its way, Pixels 3D. I tried a demo, never could afford the actual product but got a phone call from them once and was so favorably disposed that I kept talking and ended up on the line with one of the programmers talking about different programming languages that could be used in shaders! I thought they were really cool.
I began to get different mail- before, I'd very occasionally got a very informal sort of note that didn't come off like spam at all, and I didn't mind that. Some new person came in and cranked up the email volume more and more, and the emails got harder and harder sell, until they were indistinguishable from full-on spam- nobody was listening, they weren't talking to _me_ anymore, I was just a target. It was set up as if it was a list, with instructions for unsubscribing. I don't trust 'remove' procedures from most spammers, but with my history interacting with Pixels I thought I could trust their remove procedures...
Nothing happened. The unsubscribe procedure was either broken, or being intentionally ignored. I couldn't tell which. This, not the spammish tone of the frequent emails, was what finally tipped me over the edge, and I began a full-on Spamcop.net assault against the company I'd once quite liked, bitterly. In fact I called their office and left a message stating exactly why I wished to never hear from them again and had changed from an interested potential customer to the opposite. The person they'd spoken to on the phone had turned into an enemy through _their_ actions- the actions of one marketroid whom they might not have even been keeping an eye on.
That worked- I don't know if I actually got their connectivity and website interrupted, or if someone figured out they were paying too high a price, but I don't hear from them anymore.
No company needs to make this horrible mistake. Talk about badwill.
HUH?!! credit card? (Score:2)
Am I the only one who sees storing credit cards as a problem. Nobody should ever be able to get at my credit card number. If amazon has it in a database it means a cracker has a chance to break in and get it.
Re:Oh give me a break... (Score:2)
Regarding the MAC address: That is a layer two protocol, not layer 3. That information isn't able to be transmitted across network segments. A router, access server (like a portmaster), bridge, or other similar devices will terminate that portion of the level 2 communication - it can't go any farther.
As for your other claim (I doubt there is any validity to your claims. ), I suspect that microsoft does in fact do such things. It would not suprise me in the least.
Re:innocent postmaster? (Score:2)
Regardless of which it really is, I bounce it back to postmaster and abuse at that address seconds after the connection is made in hopes an alert person at that computer just might need some help preventing a disaster. Its a courtesy. In case that fails, I protect myself from further spam from that network by setting an ipchains entry blocking that class-c network. That guarantees me I won't be getting any more spam from them in the future.
Sue Em! (Score:2)
Re:my new patent .. (Score:2)
Complain to the company's network provider (Score:2)
dread:~$ nslookup www.amazon.com
Server: dread
Address: 0.0.0.0
Name: www.amazon.com
Address: 208.216.182.15
dread:~$ whois 208.216.182.15
UUNET Technologies, Inc. (NETBLK-UUNET1996B) UUNET1996B
208.192.0.0 - 208.249.255.255
Amazon.com (NETBLK-UU-208-216-180) UU-208-216-180
208.216.180.0 - 208.216.183.255
We supposedly have laws here in the US to protect of from this, but for some reason the big boys are exempt. Threatning to use the anti-spam laws if useless because of the time/cost needed to pursue this.
--weenie NT4 user: bite me!
Why make it easy to get off a spam list? (Score:2)
Another place that really bugs me is Outpost.com. Seems that it's fairly simple to get off their e-mail list, but every time you buy something from them, they *resubscribe you*. Needless to say, I don;t buy anything from those clowns anymore.
I've seen all sort of hoops being put up that you have to jump through to get off a list. The *worst* I've seen is a recent MediaOne spam I got, which said, basically, that if I wanted off of their stupid mailing list, I needed to send them my physical address and contact information. WTF? This, ironically, was to be sent to their "consumer privacy" department. Lemme get this straight... I need to send you personal information via an unsecured e-mail link so you'll respect my privacy? Sweet.
One tactic you might try is to say that someone else gave your e-mail address as their own (in a big ISP, this has got to happen occasionally... jdoe21@hotmail is sometimes going to accidentally give an address of jdoe12@hotmail).
As with all sorts of spam, the best way to avoid getting it is to not give out your private e-mail. A Hotmail or other account is handy here. Moreso, in fact, since you can get the recipt info from whatever computer you're at. Of course, there is the privacy issue. You might try hushmail or some other encrypted web e-mail service.
Personally, I have my own domain, and the ability to create e-mail accounts at will. I'll use one for a while, then kill it.
Re:Easy solution (Score:2)
Re:Spam (Score:2)
Big Boys Seem to be Untouchable (Score:2)
1. Why have they not shut down Amazon's site yet, judging from how many complaints I see here, I can't believe they've not gotten complaints. Smells of an old boys network to me.
2. Half of the spam I get originated from Uu.net ips. I send complaints, get their canned response, then nothing. Often I get the same spam a few days later. WTF! Practice what you preach boys.
Amazon.com does not send spam. (Score:2)
When you sign up for an account at Amazon.com you given the option of recieving mass mailings. If ths person did not want to recieve want to recieve them, they should have clicked the opt-out. It is simple and painless and you can change it to opt-in or opt-out rather easily when you login.
This does not qualify as spam in anyway. You asked for it, and Amazon.com sends it.
Also, It is too bad that the poster's wife did not keep track of her Amazon.com account properly and he feels that getting her Amazon.com account password is too difficult. However, this is done for security, which is in her best intrest.
She should keep track of which Credit Cards she uses and where. This not only makes retreiving your Amazon account much easier, but also is good sound advice for shopping anywhere.
[And while I am here]
As some others have pointed out, this question is, another, cheap shot at Amazon.com from Slashdot. Amazon.com sells quality products at good prices to millions of people around the world. Amazon.com does not do anything unethical or illegal in its business practices. If at anytime you don't like how Amazon.com does business, you can send email to feedback@amazon.com and real person will read it.
If your an ISP and your getting Amazon.com email sent to dead accounts, you can contact techhelp@amazon.com and someone will work with you stop the email.
P.S. I dread seeing Slashdot turn into, not only a Anti-Microsoft, but also an Anti-Amazon.com site on the back of cheap posts and flimsy Ask Slashdot Questions.
Re:out of curiousity (Score:2)
I have no idea where it comes from or even where I first saw it. A quick google search reveals that it appears in lots of places on the web.
Re:Simple rule (Score:2)
Spammers do wonderful things like sending to
jimsmith
jimsmith00
jimsmith01
jimsmith02
etc.
Chances are that is how you got hit. The spammer does not care, since hotmail is just going to say "uh, sorry, that account does not exist". Pick something like fjiogio83fj@hotmail.com. Chances are you won't get hit for a while. If you do get hit right off, then I would say hotmail is selling it.
Vote Nader [votenader.org]
Re:Simple rule (Score:2)
--
Open standards. Open source. Open minds.
The command line is the front line.
Double standards? (Score:2)
I was at a university where there was a "zero tolerance" policy against using your student account to send commercial e-mail. And yet they turned around and started spamming me with adverts for Student Publications. When I complained, and pointed out the double standard, they lamely countered that their committee had discussed it and decided it was OK, because it was "for a good cause". I counter-countered that I considered raising money for my education to be a good cause as well, so by their new standards I was entitled to use my account for spam as too, see-how-fast-I-sue-you if you don't like it.
They quit sending me spam. I don't know if it's because my argument convinced them, or if they just took me off the list so they wouldn't have to listen to me anymore. (Makes no difference to me, so long their crap stops showing up in my mailbox.)
I don't have nearly so much spam trouble as I did a couple of years ago, but one big company that is being a real butt is Continental Airlines <CO.O.L._101700@airmail.continental.com>, may they rot in Hell for Christmas. They have an opt-out message at the bottom of their spam, but when I visited the site I got a blank page. (Linux not supported? Non-cookie visiters not supported?) And of course, the e-messages to postmaster and webmaster bounced.
Re:Sigh. Filters weren't invented--they evolved. (Score:2)
I visited a Web site late last night, and from what I saw there, I can assure you that the internet has not remained altogether chaste.
However, I'm quite angry about having to give them my credit card number, because -- honestly -- I only wanted to see the pictures out of scientific curiosity.
*ahem* the one thing to remember.. (Score:2)
Your email *account* is an endpoint for smtp mail. Unless your ISP offers you filters, that is *ALL* you are paying for, and, state-based legislation aside, you do not have a 'right' to prevent others from sending you mail. (Note I said prevent them from sending.... you *absolutely* have the right not to receive it.
That's the whole problem with mail. YOu have no control over acceptance.
Re: (Score:2)
MP3.com Spams (Score:2)
I'm sure in the latter case that it's not Slashdot's fault, and I'm amazed that anyone would troll for addresses on this forum as the recipients are likely to be as spam-hostile as anyone.
Re:I don't have amazon problems (Score:2)
But seriously: why not report them to spamcop? I know from experience that receiving spamcop mails is a PITA when you're a legitimate business where folks *must* have already signed up for stuff, but it certainly makes the admins think to get it.
Either that, or write a perl script to send back a fake `bounced' mail...
~Tim
--
Re:innocent postmaster? (Score:2)
Re:Sorry, this isn't even spam, stop whining (Score:2)
Amazon's mail to Ironfist isn't spam, because it's really not unsolicited. IMO, Ironfist is not taking proper responsibility for delegating the use of his account to his wife. Remember, the prior business relationship was between Amazon and his wife. He had NO standing to modify her account settings in any way. Also, note that Ironfist says Amazon complied right away once they were able to confirm that his wife wanted the mail stopped.
I think this is a boundary condition case caused by the sharing of e-mail accounts and a ridiculous oversensitivity to what appears to be Amazon's correct protection of thier customer's rights and privacy. I wonder if Ironfist would also whine to Slashdot if Amazon were to allow *anyone* claiming to own the account modify his wife's settings? Amazon was right not to act too quickly here, since that could have hurt one of their customers.
I understand Ironfist's frustration, but the situation was at least indirectly of his own making, and as an objective observer, I can't fault Amazon's actions in this case in any way.
Re:Bounce unwanted messages (Score:2)
The "to:" line is usually bogus in most spam - in reality it's completely decorative, and not used by the mail server at all.
Bad for Business (Score:2)
(BTW, since their 1-Click Patent fiasco, I havn't, and won't ever buy a book through them.)
Re:Ridiculous whiny consumer complaints. (Score:2)
All Amazon know about this e-mail address is that somebody used it to order some books. Now somebody, who seems to know nothing about the book ordering history, is trying to get the password for the account.
Would this not strike you as just a little bit suspicious?
Imaging the alternative scenario:
Husband and wife shared the e-mail account.
Husband tries to get into wife's Amazon account to order 500 hundred copies of "Why I hate you bitch." in the wife's name.
Now imagine the shit that would be heaped on Amazon if this happened.
The whole point of the Amazon account is that all the user information is stored there (including preferences on mailings). There is absolutely no way that they should change it without him satifying some basic security check. Should he be able to change it so that he opted the amazon account into a mailing list.
Was it really to much effort to ask her "Darling, what was the title of one of the most recent books you've ordererd from amazon?"
Re:Hmm.. (Score:2)
I think you missed the point. The real issue was that he shouldn't have needed a password to get taken off the list in the first place. It was his email, so it's his right to not get spam from Amazon in that address.
If someone else had signed up for Amazon and put his email address [whether on purpose or not] he would be unable to be removed from the list because there's no way for him to find out the password of whoever did that to him.
He was only able to do so in this case because it was his wife...
I do hope these companies figure this crap out soon, or the government is going to 'figure it out' for them :(
Ender
Speaking of SPAM from large corporations (Score:2)
I have more problems with SPAM from large corporations than I do from subject: XXX Want to see Hot Girls?
Serious.
Re: (Score:2)
I wouldn't say the questioner's a troll... (Score:2)
However, you certainly have raised a good point here. When there's potentially a situation that could result in someone getting information they shouldn't have or being able to pull a nasty "prank book order" or worse, then I think the company should take steps to minimize that possibility.
And it's a good idea to make sure whatever privacy buttons you want clicked GET clicked! Look for them first in the future.
Re:Simple rule (Score:2)
Besides, I enjoy smashing spammers. A little header analysis, a little nslookup, a little traceroute, a little whois, and a note to postmaster@whatever.net, and away goes a spammer's account, even if it is a game of whack-a-mole. Maybe I'll get on one of the "do not spam" lists that I've heard some of these fsckers use; they know who knows enough to track them down and make trouble.
In the case of an e-commerce spammer, I'd start by forwarding each piece, along with a "cut it out!" message, to the domain contacts revealed by whois. If that didn't work, nslookup and traceroute will reveal their upsteam provider, and pointing out that a customer is using their resources to spam will usually light a fire under someone's ass.
Re:Spamming Bookstores (Score:2)
s/played ignorant/lied/g
0) Spam is theft.
1) Spammers lie.
2) If you think a spammer's telling the truth, see Rule #1.
3) Spammers are st00pid.
My story? A major online travel agency did the same goddamn thing to me. I fired off LARTs to investor relations and corporate, and got what appeared to be a Real Reply from one of their senior marketroids, apologizing profusely and telling me he'd remove me from their database.
One month later, spammed again. More LARTS, quoting the earlier email exchange in full, and pointing out that further spams would result in phone calls and a *VERY* well-documented RBL nomination. The mails were ignored, but at least I haven't been spammed again. Knock on silicon.
Remember Farmer Tackhead's advice:
If it comes out of a cow's ass, it's cowshit.
If it comes out of a horse's ass, it's horseshit.
If it comes out of a marketer's mouth, it's bullshit.
I've never done business with that travel agency again. And I never started to do business with Spamazon. All my book orders go through Powell's.
(All my travel bookings go through someone who has (yet) to spam me. Sadly, this online travel agency deals with me through a disposable mailbox at yahoo.com. They suffer due to the lies spewed by their competitors.)
This, and not credit fraud, is what's gonna kill e-commerce.
Re:Simple rule (Score:2)
Re:But clients can - when MS builds a backdoor... (Score:2)
Then why do they care about "isRegistered()" and "MSID"?
Your own domain (Score:2)
Re:Simple rule (Score:2)
Disposing accounts is a good idea but I'd rather just use the bulk filter in Hotmail, it works like a charm but the regular filter could use more rules like a To: or CC:.
If there was a law... (Score:2)
While I'm dreaming up an email utopia, what keeps ISPs from identifying spammers who dialed up on the open relay and sent 400,000 messages? Just call Ameritech or whomever and call their abuse department. Now with those 400,000 messages figure out the real cost to the ISP, bandwidth, CPU time, etc and send them a bill. Oh I would guess they would get a crappy rate and it would be $40,000. Cheaper than the post office. Sue them if they don't pay, garnish wages etc. That would stop them cold. Unless they're coming off-shore this should be happening all the time.
I'm still dreaming here but why don't we start a little campaign to inform technophobes that buying from spammers encourages spam. I'm sure enough banners and it'll get into the mainstream. "Grandpa are you crazy?! That's a spammer, go to a real store for your aluminum siding."
The really unfair part is the more you particpate on the internet the more spam you'll get. Lets say you want the newest download and you have to fill out a webform, you use USENET, you find yourself quoted on some webpage with your email address attached, you're on a long list of CC:, you post to webboards, etc.
Most AOL users rarely venture out of the Disney-esque safe for family AOL net so their addresses don't get picked up and they don't understand what we're complaining about. Get a hold of every AOL address dump it on usenet and the angry AOL customer lobby will take care of the rest. Upstanding citizens and "family oriented users" blow experts, technophiles, and geeks out of the water when it comes to getting shit done on certain levels.
Fair? No. Effective? Yes.
Imagine how fast I would be laughed out of court if I complained about the busy modems at my little ISP compared to the colossal suit AOLers smote upon Steve Case.
Re:Simple rule (Score:2)
What's one got to do with the other? (Score:2)
Amazon should NOT require your password to stop mailing to you!
Amazon, like anyone else, should respect the legal right of the mailbox owner to control what mail gets sent to it. Amazon doesn't have the right to set up so many barriers to stopping mail to a mailbox that may never have even given permission.
What if I set up an account tonight and give your e-mail address? We know Amazon doesn't do any sort of verification; they just add you to the list. You can't possibly know or find out my password; you don't even know who did this to you.
Amazon's actions wouldn't stand up in court, if anyone had the time, energy and money to sue them. In fact, you could probably sue them in small claims to avoid the money part.
Re:Double standards? (Score:2)
Re:Sorry, this isn't even spam, stop whining (Score:2)
On what grounds do you declare it not spam? Do you work for Amazon? Why are you so worried about the sooper-sekrit c0nsipricy between Ironfist and Slashdot to "vilify" Amazon?
You can argue that the prior business relationship made it solicited, but once he requested it stop, it was clearly no longer solicited. It's unsolicited, it's bulk, it's email. That's spam.
Amazon needs to provide a way for mailbox owners to stop the mail. Period. Nothing to do with passwords, purchases, or anything else - Amazon simply doesn't have the legal right to send mail to people who don't want to receive it.
But he just wanted to get the unsubscribe password (Score:2)
Junkfilter for Procmail (Score:2)
Two Words (Score:2)
I realize that not everyone is fortunate enough to be able to handle their own mail server. Procmail works well with fetchmail too, though you really want to stop the messages before they come over you wire.
If you run your own mail server, you can also ipchain out the most offensive spam domains (*COUGH*Agis.net*COUGH*) I cut my spam by about 90% with an aggressive set of ipchains and some procmail scripts. Of course, most spammers seem to think my current domain is fake, which kind of helps.
Similar Story (Score:2)
I tried following the instructions at the bottom of the emails; it didn't work. I tried replying to the emails, asking politely to be taken off. I tried CC'ing those replies to various emails @yankees.com (root, abuse, spam, www, etc). They all bounced. I tried sending rather rude and vulgar. Still nothing.
I went to Yankees.com and looked for some sort of contact info. NOTHING!
Finally, I noticed something at the bottom of the site saying "Powered by ultrastar", so I went to their website, ultrastar.com, found their phone number and called them up. I got the reception desk, and asked to speak with whomever was in charge of yankees.com. I got a very nice lady on the phone, and explained my situation to her. I gave her my email address, and have never gotten another email from yankees.com again.
Cire
Re:I don't have this problem? (Score:2)
I'm sorry, but I don't see what you guys are all angry about here. Maybe I'm missing something, but for once isn't a corporation trying to *protect* your privacy?
Re:Sue Em! (Score:2)
The sad thing is that some of the Spambots automatically use the username as a greeting. So I was getting spam that said "Hi m_hockey, you have just won"
-
Re:Simple rule (Score:2)
All I can figure is that MS/Hotmail is actually selling the e-mail address when they explicity state they won't. Also, I'm sure the "Hot Young Girls XXX" spams are not from affiliates of Hotmail.
Do-it-yourself solution (Score:2)
Re: (Score:2)
Re:Speaking of SPAM from large corporations (Score:2)
I hate them.
Re:Automate your complaint (Score:2)
### This script requires the basic UNIX 'mail'
### command, a working MTA, and the basic 'sh'
### shell.
# Assuming this file is saved as
#
# put this line in the appropriate crontab file:
#*/5 * * * * root
#!/bin/sh
YOUR_NAME="Annoyed Customer Number 5"
TARGET_NAME="Amazon.com"
TARGET_EMAIL="somwhere@amazon.com"
YOUR_EMAIL="annoyed_customer-5@isp.com"
`echo Dear $TARGET_NAME: If I, $YOUR_NAME on email address $YOUR_EMAIL am not removed from any and all email lists and spendings immediately, you will receive this email every five minutes until such time as I am. | mail -s "Please remove me from your email spam lists" $TARGET_EMAIL `
## end of script
Re:Filters (Score:2)
Re:Simple rule (Score:2)
get your friends to set up your email address as
"umbrella"
so they can email you without having to think about it.
mention it in your sig file so people can reply to your posts to usenet/slashdot.
Sorted!
Re:Simple rule (Score:2)
--------
get your friends to set up your email address as
"umbrella {name@domain.com}"
--------
where { =
plain text is apparantly processed in some way in SlashDot!
New problem: political spam (Score:2)
Apparently, the Republican party has taken to spamming newsgroups as a form of canvassing for votes. I've seen RepubliSpam all over, in newsgroups like netscape.public.mozilla.general and alt.comic.sluggy-freelance. It's become really annoying.
It's like everybody on those committees that had to deal with anti-spam bills took one look at the subject of the legislation and thought, "Wow, that's really shady! Why aren't we doing that?"
---
Zardoz has spoken!
My way (Score:2)
I use that information as well as the address the spammer is claiming to use, and mail root, postmaster, and webmaster at the domains I find. In the case of providers like hotmail, abuse@ as well. I send a form message stating that I have recieved unsolicited mail (attached) and that any further communications recieved will result in a bill being sent to both the ISP serving the spammer and the spammer; for use of company time (time being worth $45 dollars an hour, with a typical spam "advertisement" using one half-hour to 45 minutes of time.)
It dosn't work every time, but I am usually sucessful.
---
Not as harassment! (Score:2)
A computer is able to be considered a fax machine if it's hooked to a phone line and a printer. The SPAM does not have to come as a fax transmission.
It provides for statutory damages. If you go for harassment, you would have to prove how much the spam hurt you. Under the SPAM fax law, there is a $500 statutory damages.
Easy in the UK - can you say DPA? (Score:2)
In effect, all records (originally just computer-based, but it's now moved out to all records regardless of media), concerning an individual are available to that individual (with a few exceptions for military/police intelligence purposes). In effect, if you write to a company like Amazon and ask to be removed from their mailing list, they must comply. Failure to do so gets them into hot-water with the Data Protection Registrar who can cause all sorts of nasty things to happen to a company.
Other nice features are the right to have access to algorithms and methods used on personal data that may affect you in some way - e.g. credit scoring, etc.
Re:But clients can - when MS builds a backdoor... (Score:2)
But even if they did, you have to know that their whole product ID database must be trash. I personaly have installed about 300 NT servers with the product id of "111-111111". That key works on almost any MS product up until a couple of years ago. They teach you that in MCSE class, for crying out loud. There are eight thousand machines at my place of business with the same copy of Windows 95 on them. Sure we have licenses, but I'll be damned if I'm going to install it eight thousand times by hand. We use disk imaging like most companies of any size. In that case, knowing our product ID's would be useless to MS.
So even if they're gathering your product ID (of which there is zero evidence in this code) there's not jack they can do with it. They're bound to have millions of multiple entries.
And if they were, someone like NTBugtraq or the l0pht would have publicized a security exploit about it now. For that matter when I am at work again I'll just plug up a sniffer while I surf their site and see for myself what those functions retrieve. But you don't need to attribute to malice what is easily explained by idiocy.
Re:Spamazon (Score:2)
Or is it that their autospam program is too dumb to realize that other domains than
Re:But clients can - when MS builds a backdoor... (Score:2)
Re:Spamazon (Score:2)
"Disposable" email addresses (Score:2)
I have a domain (for arguments sake, lets call it domain.web), and any email address that's sent to it winds up in the same place.
So, for example, if I were to order from amazon, I'd give my email address as amazon@domain.web. I then set a configuration file to "enable" the account. Email to addresses that haven't been "enabled" get discarded (I never reply to unsolicited email, because you're giving away vaulable info that that email is good). Email to addresses that have been enabled get saved. Every few weeks, I scan, via a web interface, the emails.
This way, I can also tell who sells my email address, or where spam comes from! Everyone gets their own email address
--- Speaking only for myself,
I've been through this (Score:2)
Furthermore, we are well aware of the federal laws and statutes that pertain to the Web and especially to our site. Please be advised that we do not nor are we under any legal obligations to go any further on your request without the additional cooperation and assistance that we requested of you.
You've got to love that....
Re:That's what I do (Score:2)
It's really amazing how little spam you get if you keep your everyday address private.
As an aside, my
Oh give me a break... (Score:3)
MAC address, IP address, OS version, Browser version, etc.(the last three are recorded in the web server logs)
I doubt there is any validity to your claims.
terminated employees still get Amazon spam! (Score:3)
She is on AMAZON.COM's spam distribution list. I contacted Amazon.com customer support no less than ten (10) times in my quest to get her e-mail address removed from their spam list. I was roundly defeated in every attempt; I did not know her password; I did not know her credit-card number; I did not know what book she bought recently; and I was not her; so, they CONTINUE to send their spam which arrives at my address!
I find this to be apalling, because I am now the owner of this e-mail address, but there is NO WAY for me to get that address removed from their spam list.
How rude!!! If anyone from AMAZON.COM is reading this, you should know that I discourage everyone I know from doing business with you as a result of this fiasco.
I totally empathize with the author of the original question.
Re:MAPS (Score:3)
The feel that by getting sued, they will eventually get the chance to prove the constitutionality of spam or spam blockers. It will be interesting to see what happens.
Ridiculous whiny consumer complaints. (Score:3)
This e-mail was solicited. It is not spam.
Then we have the issue that the husband wants to break into his wife's Amazon account to change the subscription. Does the husband ask his wife what her password and credit card are? No, he expects Amazon to just hand over this information to someone else, namely him. Let's go over this briefly:
Bravo to Amazon for protecting his wife's privacy.
The fact that this was difficult to do is good. The fact that this gentleman found dealing with a large corporation frustrating when he could simply have asked his wife, and then turns this into a Slashdot complaint, is bizarre. Particularly when his wife chose to receive the e-mail. Yes, Amazon greased the way, but c'mon
Bottom line:
this problem was solvable.
Bottom line:
complainant didn't feel like following through.
Next!
----
Re:I don't have this problem? (Score:3)
Amazon has spent years running opt-out spam, spamming harvested addresses, and generally playing fast and loose with things. They've made people jump through opt-out hoops, they've managed to fail to handle unsubscribe requests, and they've never, ever, responded substantively to complaints about this process.
Re:Speaking of SPAM from large corporations (Score:3)
One solution to that problem comes readily to mind.
Seriously, the internet is going to keep getting crappier until people learn to say 'no'. There's not a site out there that has anything I need badly enough to put up with a bunch of crap just to get it.
If a site won't let me in without JavaScript and cookies enabled, fine. There are about 21,166,911 [netcraft.com] other Web sites out there that I can visit instead. Site supports Windows/IE only? Same deal. News site has a single paragraph per page so it can crowd in all the ads? Ditto.
I wouldn't wade through a pond of poop to get a free doughnut. Why should I lower my standards for the internet?
If people would quit visiting the sites that suck/stink/screw_you, then those sites would have to reform or go bust. Imagine.
</rant>
They can't make it easy... (Score:3)
Gfunk007
amazon.co.uk no better (Score:3)
Microsoft were similarly bad. Even after following their unsubscribe instructions, I was still getting mail. I rang up the agency doing the mailing, was politely annoyed at them for 20 minutes and eventually received a full apology and an explanation that Microsoft departments can obtain email addresses up to 3 months in advance of mailings, meaning that even once you're unsubscribed you'll get junk for up to 3 more months. Still, this time they promised that I'd been taken off their lists fully.
Right.
Another ad arrived a week later. A decidedly pissed off email to Microsoft later, I received a copy of my complaint that had been forwarded through 4 levels of customer service drones each adding something like "This customer appears annoyed. Can something be done?" culminating in webmaster@microsoft.com telling me that I'd been removed from all their lists. This time it seemed to work.
Moral of the story? Companies seem significantly more worried about having lots of customers on their email lists than they do about the small number of people who get annoyed at them as a result and probably will carry on doing so until enough people realise that they're not obliged to put up with it.
Re:Bounce unwanted messages (Score:3)
Spammers don't generally get the bounce messages. Most of them are relay raping some misconfigured mailserver using nothing more than a 33.6 modem with forged envelope from, forged from headers, forged receive lines and more. The bounces will usually end up sitting in the lap of an entirely innocent postmaster. It would take more time for the spammer to process bounces than it would save them when sending the spam in the first place.
However, this does stand a fairly good chance of working with "legitimate" spam (ie, that sent by companies on behalf of themselves) since they're actually paying for their bandwidth.
Republican party spam... (Score:3)
I thought, 'Naah, this can't really be the Republicans. They wouldn't do something as stupid as spamming people for support.' But then I did some research...and apparently they really are this stupid.
Here is a Salon article [salonmag.com] from 1999 about a Republican senate candidate's spam. And there's an anti-spam spite with an article about the Californian Republican party [whew.com] spamming people. A mention in the Seatt le Times [nwsource.com]. And then of course there's EChampions [echampions2000.com], the RNC-funded group who sent the spam that hit my mailbox.
If I needed a reason not to vote Republican, this gave me one. Bastards. But I suspect that the next election will be far worse, with candidates spamming from all sides.
Re:Spam (Score:3)
As seen on news.admin.net-abuse.email:
If you own the domain, configure sendmail to bounce connections from .cn domains with "550 Free Tibet JUNAQ DJQVD". The last two bits are randomness translated into bits of ASCII, and you can set up a cron job to change the random blocks every few hours or so. The result is "crypto" that the .cn government will never be able to crack, which is therefore bound to attract a lot of attention.
If you're more courageous, reply to the spammer. "Message received. Funds received and transferred to Falun Gong account as per your instructions. Sorry can't send back mail with PGP, I'm on friend's computer. Bye."
The Chinese government wields a mighty LART. If just 1% of American hosts receiving relay attacks from .cn machines did the "550 Free Tibet [crypto block]" trick, the Chinese government would wake up and solve the problem for us.
Microsoft has a system prober disguised as spam. (Score:3)
Did the mail look like an advertisement for a developer's conference? Did it have remove instructions asking you to send a reply or visit a web site to be removed? Did sending a reply bounce, so you had to use the web page?
If so, it wasn't just spam. It was an attempt to mine your machine for information.
I started getting those spams from microsoft - and I didn't even have a windows-capable machine anywhere in my domain. So after the unsubscribe email bounced I probed the web site (with an ancient version of Mosaic that didn't know how to do most of the dirty tricks B-) ).
The main page gave a link to a mailing-list manipulation page. The button on the page where you delete yourself from the mailing list downloads a very interesting page.
The page is a mix of HTML, Javascript, and VBScript.
- The HTML uses the instant-refresh trick to forward you to a page at register.microsoft.com if you're not java-enabled, else it runs the javascript.
- The javascript forwards you to the same page if you're not on a VBScript-enabled browser, else it runs the VBScript.
- The VBScript (judging by the names of the classes it uses) sniffs your registry and then forwards you to the same page, but with the registry information added to the URL.
I didn't follow it to the next page to see what other dirty tricks might have been embedded. (I presume the automatic forwarding eventually terminates on an 'unsubscribe me' page, so everything looks dandy.) But by this point register.microsoft.com already has the sniffed registry info (at least your Windows and browser versions), tied to your IP address and whatever other stuff the browser includes in the HTML request. And their server can feed you other pages, tuned to your configuration, to mine more info or maybe do some damage, before they finally give you the page you wanted.
So Microsoft found a new use for spam: Populating a database by sucking registry info out of the machines of any Windows user they could sucker into trying to use the web to get off their spam list.
The registry has all sorts of information in it. Here's some that I know exists there, for starters:
- The MAC address of any ethernet cards. (These are a unique identifier that can be used to recognize your individual machine, just like the Pentium CPU serial number that caused such a flap for Intel.)
- The names, version numbers, serial/program key numbers, etc. of any installed software, both from Microsoft and from most other vendors.
I leave it to you to imagine the intended uses of this information.
But clients can - when MS builds a backdoor... (Score:3)
But web clients, running on your machine, sure can.
The only possible way is if you ran an ActiveX control or an executable(scripting languages can't do this) that accessed the registry, but if you did that, it would be your own fault.
How about running a VBScript fragment that uses a Microsoft backdoor object to read the registry?
I've dug out and reviewed the code. I know zilch about VBScript except that it's object oriented. But by analogy with other OOP languages this VBScript checkFlags() routine sure looks to me like it uses a class called "RegWizCtl" to:
- Extract your MSID (your product key?)
- Start a string with:
"/REGWIZ/wiz40.asp?CRF=Y&RegMSID={your MSID}&"
- Iterate through the registry entries for the Windows and Windows NT version numbers:
- Check if they're registered and
- If they are, add "&D={n}" to the end of the string (where {n} is 1 for Windows, 2 for Windows NT).
- Return the string to the Javascript routine.
The Javascript routine looks like it checks whether your browser is internet explorer and your OS is Windows 98 or Windows NT 5, making a reference to the return from the VBScript routine if so, else making a reference to "http://register.microsoft.com/REGWIZ/wiz40.asp?C
The HTTP looks like it puts up a web bug to get an object named "RegWizCtrl" with class ID "CLSID:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00" loaded, the zero-delay refreshes to "/REGWIZ/wiz40.asp?CRF=Y&" (if the Javascript hasn't done it already).
Tell you what: Here's the web page in question (minus a BUNCH of leading blanks on each line apparently designed to throw the code off the right of the window if it happened to be viewed). Maybe some of the HTML, Java, and VBScript experts on this board can tell us all what it really does.
(Of course this means that the whole slashdot community can see it and make their own versions. What a pity.)
Remember: Though this part might seem benign, it tells the server at "/REGWIZ/wiz40.asp":
- That you're running Windows 98 or Windows NT 5.
- That you're running Internet Explorer.
- That your system is subvertable using this mechanism.
So if your system IS subvertable there's nothing to keep
==============================================
To restore the original:
- Change leading blanks to tabs, 8 blanks to one tab.
- Add three leading tabs to every line starting with the "!--" line.
- Add seven more tabs to the start of the line containing "\Windows NT\"
- Change all occurrences of "[" to left-angle-bracket. (Someday I'll figure out how to put that character in a slashdot posting.)
- Join the lines beginning with "[OBJECT" and "CLASSID" (a long line that got wrapped by slashdot).
===============================================
[HTML>
[OBJECT ID="RegWizCtrl" STYLE="display: none" CLASSID="CLSID:50E5E3D1-C07E-11D0-B9FD-00A0249F6B
[/OBJECT>
[SCRIPT LANGUAGE="VBScript">
[!--
Function CheckFlags()
on error resume next
Dim sBuffer, sRegMSID
sRegMSID = RegWizCtrl.MSID
aProdKeys = Array("SOFTWARE\Microsoft\Windows\CurrentVersion"
"SOFTWARE\Microsoft\Windows NT\CurrentVersion")
sBuffer = "/REGWIZ/wiz40.asp?CRF=Y&RegMSID=" & sRegMSID & "&"
for iCounter = LBound( aProdKeys ) to UBound( aProdKeys )
RegWizCtrl.IsRegistered = aProdKeys( iCounter )
if RegWizCtrl.IsRegistered then
if err.number = 0 then
sBuffer = sBuffer & "&D=" & CStr( iCounter )
end if
end if
if err.number then err.clear
next
CheckFlags = sBuffer
End Function
' -->
[/SCRIPT>
[SCRIPT LANGUAGE=JavaScript>
[!--
if ((navigator.userAgent.indexOf("MSIE") >= 0 && navigator.userAgent.indexOf("Windows 98") >= 0) ||
(navigator.userAgent.indexOf("MSIE") >= 0 && navigator.userAgent.indexOf("Windows NT 5") >= 0))
{
location.href = CheckFlags();
}
else
{
location.href = "http://register.microsoft.com/REGWIZ/wiz40.asp?C
}
//-->
[/SCRIPT>
[META HTTP-EQUIV="REFRESH" CONTENT="0; URL=/REGWIZ/wiz40.asp?CRF=Y&">
[/HEAD>
That's what I do (Score:3)
That's exactly what I do. It also helps to find out what sites are being mined by the mailing-list sellers. (I've only gotten about three spams to "rod" so far. B-) )
Unfortunately, the WHOIS database of domain contact information is open and has been mined by the mailing list sellesrs. So having a domain gets you spam - to an address that you CAN'T ignore if you want to keep the domain.
The "cybersquatting" procedure starts by sending notices to the posted contact information (which is also where billing info is sent). Don't answer and you might find your domain reassigned to someone else. So if your domain name is at all desirable, you have to deal with spam.
Something that worked for me. (Score:3)
So to make my plight a little clearer I created a 500K file with nothing but the word "remove" in it. I then quoted the file as text in the body of my next e-mail to them. The response I got back was from the system administrator was that they couldn't find my name in their mailing list and couldn't remove me. I responded back with the 500K text file again. The next e-mail I received was that I had been removed from their list. To this day I haven't received another e-mail from them.
The moral of the story, one 500K message is worth more than 500 1K messages.
How to get you passwd back... (Score:3)
I'm pretty sure you'll get your password this way.
Comment removed (Score:3)
Re:Microsoft has a system prober disguised as spam (Score:3)
Yes, the registry contains lots of nifty information. Besides the stuff you mention, it can store your passwords. If you have Auto complete enabled it'll even store your credit card numbers.
There are several things your browser sends, and its available to any web server. Your browser brand and version, language, the URL you clicked through from, your IP address etc. A server can tell if you have Javascript enabled. Most of the stuff a web server can detect about you is defined in the HTTP standard. Yes, Microsoft was collecting this information. Then again, Slashdot collects the same information. /. knows your IP, browser version, Javascript capability, how long you stay, how often you visit, etc. Read the code [slashcode.com]. But so what. Most commercial websites collect this information.
However the registry and the information a browser sends are two very different things. There is no way a web server can get to your registry. And there are no secret API's that only Microsoft knows about. It would be way too much of a security risk, and someone would have blown the whistle a long time ago.
Actually, you would have more luck reading their registry than the other way around. IIS 4.0 and up provided a component that provided access to the web servers registry through a web page. You are able to set things up to perform any system admin task through a web page, if you want. Pretty insecure, if you asked me.
I watch the sea.
I saw it on TV.
Yes: "Spambouncer" (Score:3)
Re:I don't have this problem? (Score:4)
Hmm. It only takes 1-Click to buy something, but a bunch of personal information to get of their mailing list...
Who cares? (Score:4)
Would you rather have someone crack your e-mail address password and have them realize all they have to do is go to amazon and click a few buttons and they'll have access to your amazon account as well?
Anyway, if it bothers you that much, and you can't even go through the trouble to get you credit card out to verify that this is your account, all of amazon's mass e-mails are sent from specific e-mail addresses from amazon.com, such as history-editor@amazon.com or alerts@amazon.com, and you can filter out those specific addresses really easily in most modern mail programs.
This all leads me to the conclusion that you are a troll.
Re:Simple rule (Score:4)
Or a better solution which tempts me: Get your own domain, and create a new address for every company that requests one (e.g. amazon@mydomain.net). Then use mail aliases to decide if the company gets to send mail to your account or to
One-Click SPAM removal. (Score:4)
They are waiting for their one-click SPAM removal patent application to be confirmed. If they're not careful with such innovation, someone might steal it and use it to undermine their entire operation!
- Twi
I don't have this problem? (Score:4)
I don't know about the links in the e-mail, but if you go to Amazon.com [amazon.com] and scroll to the bottom you'll find a Privacy Notice link.
Click on it, and on the resulting page [amazon.com] you find a Customer Communication Preferences link.
Click on it, type your e-mail, select the forgotten password option and hit continue.
This will e-mail the password. Then update your e-mail preferences using the same two starting links.
I don't seem to have your problem?
IMHO Amazon.com has done a reasonable job of responding to the privacy and spam concerns of their customers. YMMV
Simple rule (Score:4)
Set up a free account with excite mail [excite.com] and use that for everything else. When it gets too spam-ridden, cancel it. Set up a new one.
I had 7 email accounts and usually got about 5 spams a day on some of them. I canceled those acounts, set up a new account which NO ONE but my friends/family gets, and set up an account at Excite (which is a nice one).
Email's cheap enough (free) that you can afford to set up a new one.
On the other hand, if you're already bombarded by spam, that is a problem.
Went through this myself recently... (Score:4)
Well, you could use my program (Score:5)
For example, my Yahoo member account has the word "yahoo" encrypted in the email address. The email address kiwi-nody4la is the word "sldot" (short for `slashdot') encrypted by the program.
This program also has support for encrypting time stamps (email addresses that time out), having a different encryption code for messages posted to Usenet, and encrypting the IP someone views a web page from.
The program is completely free, being under the public domain. Source can be found here:
Bounce unwanted messages (Score:5)
I've had great results with my method for handling spam - I use a great little Windows utility called Bounce Spam [er.uqam.ca] which sends an email to the spammer looking very much like a message from the server indicating that the message couldn't be delivered. I don't know if a similar utility exists for Linux but I wouldn't be surprised to find one.
Dead email addresses are less than useless to spammers - making them think yours is dead is the fastest way to get off their mailing lists.
Sorry, this isn't even spam, stop whining (Score:5)
Making a long story, shorter: it wasn't that simple. It should have been, but it turned out to be much worse.
In my experience, most things on Amazon are much easier and more straightforward. Create and cancel an order on Amazon - *very* easy. Now try the same thing with buy.com, outpost.com, or others - and good luck, because you simply can't do it through their web interfaces. The convenience of one-click (which I personally love) requires Amazon to be a bit more sure of who you are before sending out a password - passwords are for security after all, and your inability to manage your authentication credentials is hardly their fault.
It was at this point that principle kicked in. It's MY e-mail account.
Perhaps you should have considered this before letting someone else use your account. You hardly have cause to gripe here, as the situation is entirely of your own making...
This brings up a new twist on spam, privacy, and recourse to be taken. It is in fact my e-mail account, paid for by me, and Amazon tells me I have no control over what I may receive via it.
Again, you let your wife use it, and she, who was Amazon's customer, not you, selected the "let me know about things at Amazon" option. If this ticks you off, it's something you should discuss with your wife, not Amazon, as you aren't even a customer...
And the never-ending problem of spam continues...
Not really, your own post makes it clear that this was resolved with Amazon over the phone. This entire piece seems to be just an excuse to accuse Amazon of spamming, which they're clearly not doing here.
You may not like getting this mail, but what you've described is NOT spam. Not by a long shot.
And if the problem is resolved, just what was you motive for this posting? (and Slashdot's motive for selecting it for publication?) This whole thing looks like a very badly disguised attempt to villify Amazon on unjust grounds...
MAPS (Score:5)
Sigh. Filters weren't invented--they evolved. (Score:5)
Look, the internet is going on thirty years old today. Do you have any idea how many doublings of Moore's law that is? Is it really that hard to believe that somewhere in there, when all those transistors got packed in really tight in warm dark quarters, they remained completely chaste? Is it so inconceivable that the result of just one of these matings could've produced the primordial ancestor of the modern internet filter?
The universe is an exciting enough place as it is. We don't have resort to unsubstantiated but entrenched rumors about divine intervention in these strictly mortal affairs.